Following the launch of the new operating system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties to the possibility that Microsoft Corporation was collecting excessive personal data. Meanwhile, a Contact group was created within the G29 (working party including national data protection agencies in Europe) to examine the issue and conduct investigations in the various member states concerned. It is within this context that the CNIL carried out seven on-line observations in April and June 2016 and questioned Microsoft Corporation on certain points of its privacy policy to check that Windows 10 complied with the French Data Protection Act.

This has revealed many failures :

Irrelevant or excessive data collected:

The CNIL found that the company was collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products. To this purpose, Microsoft Corporation processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one. Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service.

A lack of security:

The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account, which lists purchases made in the store and the payment instruments used, but the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential.

Lack of individual consent:

An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.

Lack of information and no option to block cookies:

The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this.

Data still being transferred outside EU on a “safe harbour” basis:

The company is transferring its account holders’ personal data to the United States on a “safe harbour” basis but this has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015.

The CNIL has therefore issued a formal notice to Microsoft to comply with French law, along with a three-month deadline. According to the CNIL, the issues affect “more than ten million Windows users on French territory,” which is an interesting statistic all by itself. The formal notice brings no further action by itself, but failure to comply within the designated timeframe could bring a formal investigation and potential sanctions.

So far, we haven’t seen any reaction from Microsoft, but we’ll be looking into this to see if the company has any plans to respond. In the meantime, let us know in the comments what you think about Microsoft’s Windows 10 data collection and if the French government has legitimate reason to be concerned.